My server is blocking connections to the server that handles the authentication that I pass to oauth. So I was wondering if there was a way to make the OAuth fetch method go through a proxy somehow?
I can provide more information if needed.
Related
I'm working on an authentication integration with PHP 7 to authenticate to an ActiveDirectory server, for that I use basic PHP functions like ldap_connect.
However, this mode doesn't seem very secure to me, as it requires that at some point I have the user's credentials in plain text to be able to use the connection.
Is there a more secure way to perform this authentication?
For example, send just one request directly to the client's server and there it makes this connection to the OpenLDAP/AD server?
I have web services made in PHP which gives response in JSON. I have used these services in one of my iOS app.
But when I use web debugging tool like fiddler it shows all the data passing to my web services. Either I used GET or POST method.
How to secure the communication between server and the client application? Also which kind of encryption should be used to secure the data and where it should be used like either on server side or client side?
I have seen some methods like ssl/https connectivity to secure data. But I don't know how to implement that in iOS?
To Secure web service data you many people follow below authentication procedures
Basic Authentication, Authentication with NSURLConnection sendAsynchronousRequest with completion handler
OAuth 2.0,
https://github.com/nxtbgthng/OAuth2Client
SSL and TLS Authentication procedures
http://www.techrepublic.com/blog/software-engineer/use-https-certificate-handling-to-protect-your-ios-app/
Before you implement in iOS ,your backend developer (in your case PHP Developer) need to implement in the backend side and provide necessary information to you
If you use https all data is encrypted except the URL address. Some diagnostic programs can show the unencrypted communication by setting up a proxy on the device, this and MITM attacks can be averted by pinning the certificate if you are connecting to a known https server.
I know that there are many similar questions posted, but none of them refers to an HTML/javascript app where the user can access the code.
I have a private REST API written in nodejs. It is private because its only purpose is to server my HTML5 clients apps (Chrome app and Adobe Air app). So an API key is not a good solution since any user can see the javascript code.
I want to avoid bots creating accounts on my server and consuming my resources.
Is there any way to acomplish this?
An API key is a decent solution especially if you require constraints on the API key's request origin; consider that you should only accept an API key if the originating web request comes from an authorized source, such as your private domain. If a web request comes from an unauthorized domain, you could simply deny processing the request.
You can improve the security of this mechanism by utilizing a specialized encoding scheme, such as a hash-based message authentication code (HMAC). The following resource explains this mechanism clearly:
http://cloud.dzone.com/news/using-api-keys-effectively
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. If you're using Android, you can use the keytool included with the Android SDK for this purpose; if you're using another app platform, similar tools exist for them as well. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android (I'm not as familiar with how to do this on other mobile platforms), both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
I am somewhat familiar with how to set up seamless authentication in PHP/ASP.net applications with IIS in a corporate network, but I have a question that so far I have struggled to find an answer to.
With anonymous auth disabled, and windows auth enabled, i.e. seamless authentication is set up, will a PHP/ASP.net script with functionality for adding/modifying users in Active Directory (into the same "container") simply just work for someone with the correct admin privileges, i.e. in php use of just ldap_bind($conn);, or must I force the user to supply login credentials to use in the ldap_bind() function?
Please understand that I have limited knowledge and understanding of AD.
Generally, an LDAP request is transmitted on a connection where that connection has a particularly authorization state and the LDAP client examines the response from the server for indications of success or failure. The authorization state of the connection is changed by a successful bind request.
Successful requests are therefore dependent on the authorization state of the connection. Properly secured LDAP servers should require applications to bind (to change the authorization state of the connection) in order for certain requests (such as add and modify, search andcompare`) to be successful.
I want to write a hacking protected web services for PHP. Can anyone give me a example how to write that? How to send the authentication headers and how to manage it in the web service?
Many Thanks,
Naveed
First. Never write your own authentication.
Second. Save yourself the pain and serve your service up using https. It opens a lot more options for authentication that are both simple and secure. OAuth 2, Client Side SSL Certificates and even plain old Basic HTTP authentication are options if you are enforcing https. Even if you're doing your own token passing, you'll probably want to do so over SSL.
If https isn't an option, you can consider earlier versions of OAuth that don't require SSL.
Personally, I use a web service to authenticate the user. This web service return the token (a randomized string).
Then the user can call other web services with their specific arguments + the token.
If the token is not valid / expired / ... => I return a message to authenticate
else I return what should be returned :)
Hope this help...